Headline
RHSA-2023:4061: Red Hat Security Advisory: .NET 6.0 security, bug fix, and enhancement update
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-33170: A vulnerability was found in dotNET applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords and bypass security restrictions. This flaw allows a remote attacker to bypass security features, causing an impact on confidentiality, integrity, and availability.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-07-13
Updated:
2023-07-13
RHSA-2023:4061 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: .NET 6.0 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
The following packages have been upgraded to a later upstream version: rh-dotnet60-dotnet (SDK 6.0.120, Runtime 6.0.20). (BZ#2219635)
Security Fix(es):
- dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync method (CVE-2023-33170)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- dotNET on RHEL (for RHEL Server) 1 x86_64
- dotNET on RHEL (for RHEL Workstation) 1 x86_64
- dotNET on RHEL (for RHEL Compute Node) 1 x86_64
Fixes
- BZ - 2221854 - CVE-2023-33170 dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync method
dotNET on RHEL (for RHEL Server) 1
SRPM
rh-dotnet60-dotnet-6.0.120-1.el7_9.src.rpm
SHA-256: 311f63198ca29268ce4162ea975f393d33bd743b3c7428130ea8a27ddc37beb9
x86_64
rh-dotnet60-aspnetcore-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: f4c5105b852f9060f79bf90f073e374629676f7e5af48f59565b1a2cd89dfeca
rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: f1ec073426c68acfc47189754563e42c3a29fb9b103cf75374febbb4414dba07
rh-dotnet60-dotnet-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 93329b81631c70d79b9281e68f6ca231bec455e96f3a57d16904eac4b0b5034f
rh-dotnet60-dotnet-apphost-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 5a35c31db104f5e7f770e24608994b1c44dc7a84106548d2ab9b42c9e1f4b357
rh-dotnet60-dotnet-debuginfo-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 58bd2b1a4bc8d20c67c2bfb709d430569612fe7525f6fd0b4d991dba07cb1608
rh-dotnet60-dotnet-host-6.0.20-1.el7_9.x86_64.rpm
SHA-256: d154a1970e96fe9ad84ff63bd9130f99d52c51b1a1290c9d3d3a72d11db21536
rh-dotnet60-dotnet-hostfxr-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 6def9036f3c7b1f58b87d9f64d1f766c4e58aa0e6043eac16de1cea94f4f307f
rh-dotnet60-dotnet-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: ac97a6f24f3fe62b4c58481ade1948f117fc21cb418b2033d6fb29b2f8004bc5
rh-dotnet60-dotnet-sdk-6.0-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 1e00368bc12f4f7b82d0b291b3cd9d8796bfb37e55eca9c3e0baa479e3c590a1
rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 6e19311812923935110e506ae689a71a126bb16f1b1bee207bf27fec8092da9f
rh-dotnet60-dotnet-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 6555333a32e7756bb5ea3a84b58d246a2b51300ea8ae7b0365829c45f3dadbe9
rh-dotnet60-dotnet-templates-6.0-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 01be8908f6fb816650f00219adeb0fec50e8a99dfcb20d3585d8648deda0ee1c
rh-dotnet60-netstandard-targeting-pack-2.1-6.0.120-1.el7_9.x86_64.rpm
SHA-256: e43da48a68e734f959be3a6d2ca1763b3679825d072427981538ef1696e76ea7
dotNET on RHEL (for RHEL Workstation) 1
SRPM
rh-dotnet60-dotnet-6.0.120-1.el7_9.src.rpm
SHA-256: 311f63198ca29268ce4162ea975f393d33bd743b3c7428130ea8a27ddc37beb9
x86_64
rh-dotnet60-aspnetcore-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: f4c5105b852f9060f79bf90f073e374629676f7e5af48f59565b1a2cd89dfeca
rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: f1ec073426c68acfc47189754563e42c3a29fb9b103cf75374febbb4414dba07
rh-dotnet60-dotnet-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 93329b81631c70d79b9281e68f6ca231bec455e96f3a57d16904eac4b0b5034f
rh-dotnet60-dotnet-apphost-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 5a35c31db104f5e7f770e24608994b1c44dc7a84106548d2ab9b42c9e1f4b357
rh-dotnet60-dotnet-debuginfo-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 58bd2b1a4bc8d20c67c2bfb709d430569612fe7525f6fd0b4d991dba07cb1608
rh-dotnet60-dotnet-host-6.0.20-1.el7_9.x86_64.rpm
SHA-256: d154a1970e96fe9ad84ff63bd9130f99d52c51b1a1290c9d3d3a72d11db21536
rh-dotnet60-dotnet-hostfxr-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 6def9036f3c7b1f58b87d9f64d1f766c4e58aa0e6043eac16de1cea94f4f307f
rh-dotnet60-dotnet-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: ac97a6f24f3fe62b4c58481ade1948f117fc21cb418b2033d6fb29b2f8004bc5
rh-dotnet60-dotnet-sdk-6.0-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 1e00368bc12f4f7b82d0b291b3cd9d8796bfb37e55eca9c3e0baa479e3c590a1
rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 6e19311812923935110e506ae689a71a126bb16f1b1bee207bf27fec8092da9f
rh-dotnet60-dotnet-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 6555333a32e7756bb5ea3a84b58d246a2b51300ea8ae7b0365829c45f3dadbe9
rh-dotnet60-dotnet-templates-6.0-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 01be8908f6fb816650f00219adeb0fec50e8a99dfcb20d3585d8648deda0ee1c
rh-dotnet60-netstandard-targeting-pack-2.1-6.0.120-1.el7_9.x86_64.rpm
SHA-256: e43da48a68e734f959be3a6d2ca1763b3679825d072427981538ef1696e76ea7
dotNET on RHEL (for RHEL Compute Node) 1
SRPM
rh-dotnet60-dotnet-6.0.120-1.el7_9.src.rpm
SHA-256: 311f63198ca29268ce4162ea975f393d33bd743b3c7428130ea8a27ddc37beb9
x86_64
rh-dotnet60-aspnetcore-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: f4c5105b852f9060f79bf90f073e374629676f7e5af48f59565b1a2cd89dfeca
rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: f1ec073426c68acfc47189754563e42c3a29fb9b103cf75374febbb4414dba07
rh-dotnet60-dotnet-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 93329b81631c70d79b9281e68f6ca231bec455e96f3a57d16904eac4b0b5034f
rh-dotnet60-dotnet-apphost-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 5a35c31db104f5e7f770e24608994b1c44dc7a84106548d2ab9b42c9e1f4b357
rh-dotnet60-dotnet-debuginfo-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 58bd2b1a4bc8d20c67c2bfb709d430569612fe7525f6fd0b4d991dba07cb1608
rh-dotnet60-dotnet-host-6.0.20-1.el7_9.x86_64.rpm
SHA-256: d154a1970e96fe9ad84ff63bd9130f99d52c51b1a1290c9d3d3a72d11db21536
rh-dotnet60-dotnet-hostfxr-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 6def9036f3c7b1f58b87d9f64d1f766c4e58aa0e6043eac16de1cea94f4f307f
rh-dotnet60-dotnet-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: ac97a6f24f3fe62b4c58481ade1948f117fc21cb418b2033d6fb29b2f8004bc5
rh-dotnet60-dotnet-sdk-6.0-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 1e00368bc12f4f7b82d0b291b3cd9d8796bfb37e55eca9c3e0baa479e3c590a1
rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 6e19311812923935110e506ae689a71a126bb16f1b1bee207bf27fec8092da9f
rh-dotnet60-dotnet-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm
SHA-256: 6555333a32e7756bb5ea3a84b58d246a2b51300ea8ae7b0365829c45f3dadbe9
rh-dotnet60-dotnet-templates-6.0-6.0.120-1.el7_9.x86_64.rpm
SHA-256: 01be8908f6fb816650f00219adeb0fec50e8a99dfcb20d3585d8648deda0ee1c
rh-dotnet60-netstandard-targeting-pack-2.1-6.0.120-1.el7_9.x86_64.rpm
SHA-256: e43da48a68e734f959be3a6d2ca1763b3679825d072427981538ef1696e76ea7
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-4449-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.120 and .NET Runtime 6.0.20. Issues addressed include code execution, denial of service, and heap corruption vulnerabilities.
Red Hat Security Advisory 2023-4448-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.120 and .NET Runtime 6.0.20. Issues addressed include code execution, denial of service, and heap corruption vulnerabilities.
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29331: A vulnerability was found in dotnet. This issue can lead to a denial of service while processing X509 Certificates. * CVE-2023-29337: A vulnerability was found in dotnet. This issue exists in NuGet where a potential race condition can lead to a symlink attack. * CVE-2023-33128: A vulnerability was found in dotnet. This...
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29331: A vulnerability was found in dotnet. This issue can lead to a denial of service while processing X509 Certificates. * CVE-2023-29337: A vulnerability was found in dotnet. This issue exists in NuGet where a potential race condition can lead to a symlink attack. * CVE-2023-33128: A vulnerability was found in dotnet. This...
Red Hat Security Advisory 2023-4058-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
Ubuntu Security Notice 6217-1 - McKee-Harris, Matt Cotterell, and Jack Moran discovered that .NET did not properly update account lockout maximum failed attempts. An attacker could possibly use this issue to bypass the security feature and attempt to guess more passwords for an account.
# Microsoft Security Advisory CVE-2023-33170: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and above. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exist in ASP.NET Core applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/aspnetcore/issues/49334 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any ASP.NET 7.0 application running on .NET 7.0.8 or earlier. * Any ASP.NET 6.0 application running on .NET 6.0.19 or earlier. * Any ASP.N...
ASP.NET and Visual Studio Security Feature Bypass Vulnerability
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment.